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Application/Control Number: 10/017,835 
Art Unit: 3621 

DETAILED ACTION 

1 . This communication is in response to the Application filed December 12, 2001 . 
Claims 1-43 have been examined in this case. 

Specification 

2. The lengthy specification has not been checked to the extent necessary to 
determine the presence of all possible minor errors. Applicant's cooperation is 
requested in correcting any errors of which applicant may become aware in the 
specification. 

Claim Rejections - 35 USC § 102 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(a) the invention was l<nown or used by others in this country, or patented or described in a printed 
publication in this or a foreign country, before the invention thereof by the applicant for a patent. 

(e) the invention was described in (1) an application for patent, published under section 122(b). by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

4. Claims 1-6 are rejected under 35 U.S.C. 102(e) as being anticipated by French et 
a! (US 6,321,339). 

5. Regarding claim 1 - 

French discloses a method of providing an authentication service, comprising: relating a 
user identity to a set of a plurality of authentication mechanisms; relating a type of 
transaction with a relying party to a level of authentication; and authenticating the user 
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identity through at least one authentication mechanism in the set of the plurality of 
authentication mechanisms for the type of transaction, according to the level of 
authentication (e.g. col 5 p 8 - col 6 p 2). 

6. Regarding claims 2-6 - 

French discloses the method as recited in claim 1 , further comprising: selecting the at 
least one authentication mechanism depending on the plurality of authentication 
mechanisms related with the user and the level of authentication (e.g. col 5 p 6); further 
comprising: monitoring a series of authentications for the relying party to detect fraud 
(e.g. col 5 p 6); wherein the authentication mechanisms in the set of authentication 
mechanisms are part of a distributed system (e.g. col 6 p 7); wherein at least one of the 
authentication mechanisms is mobile (e.g. col 2 p 3); a computer-readable medium 
having computer-executable instructions for performing the method as recited in claim 1 
(e.g. col 2 p 3). 

7. Claims 7-12 are rejected under 35 U.S.C. 102(e) as being anticipated by French 
et al (US 6,321.339). 

8. Regarding claim 7 - 

French discloses a method of syndication, comprising: offering an authentication 
service, the authentication service being capable of authenticating a user identity with a 
plurality of authentication mechanisms, rendering results of the authentication to at least 
one relying party, and dynamically making an authorization decision; and distributing the 
authentication service to the at least one relying party (e.g. col 5 p 8 - col 6 p 2). 

9. Regarding claims 8-1 2 - 
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French discloses tfie method as recited in claim 7, wherein the at least one relying party 
integrates the authentication service together with other offerings; wherein the dynamic 
authorization decision is based on a requested access level, authentication 
mechanisms used, and an account status; further comprising: providing secure recovery 
from potential fraud without requiring re-registration of a user; further comprising: 
charging the relying party for each authenticating event; and a computer-readable 
medium having computer-executable instructions for performing the method as recited 
in claim 6 (e.g. col 2 p 3, col 6 p 7. col 5 p 6). 

10. Claims 13-26 are rejected under 35 U.S.C. 102(b) as being anticipated by 
Menezes et al ("Handbook of Applied Cryptography"). 

1 1 . Regarding claim 13- 

Menezes discloses a method of registration, comprising: authenticating a user; 
determining a level of identity confirmation for a registration; receiving a new 
authentication mechanism; receiving new authentication verification information; and 
storing user identity information, the level of identity confirmation, and the new 
authentication verification information in a database (e.g. page 560 sec ii). 

12. Regarding claims 14-26 - 

Menezes discloses the method as recited in claim 13, wherein authenticating the user is 
done by a registration server; wherein authenticating the user is done by a registration 
agent; wherein authenticating the user is performed by using an authentication 
mechanism stored in the database; further comprising receiving from the user, a 
request for registration; wherein receiving the request for registration is done by an 
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authentication server; wherein receiving the request for registration is done by an 
authentication agent; wherein determining the level of identity confirmation for the 
registration is done by a registration server; wherein determining the level of identity 
confirmation for the registration is done by a registration agent; wherein receiving new 
authentication verification information is done by a registration server; further 
comprising sending the user identity information, the level of identity confirmation, and 
the new authentication verification information; wherein sending is done from a 
registration server to an authentication server; wherein sending the user identity 
information, the level of identity confirmation, and the authentication verification 
confirmation is done from a registration agent to a registration server; further comprising 
sending pre-existing user information (e.g. page 560 sec i; page 560 sec ii). 

13. Claims 27-40 are rejected under 35 U.S.C. 102(e) as being anticipated by French 
etal (US 6,321,339). 

14. Regarding claim 27 - 

French discloses a method of providing an authentication service, comprising providing 
a list of supported authentication methods; receiving requirements for an authentication 
level from at least one relying party; receiving a selection of authentication methods 
from at least one user; receiving identification information for the at least one user; 
producing a portfolio associated with the at least one user, the portfolio comprising the 
list of authentication methods, each authentication method in the portfolio meeting the 
selection of the at least one user, each authentication method in the portfolio supported 
by an authentication system, the list of authentication methods meeting the 
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requirements for the authentication level from the at least one relying party; and relating 
the identification information to the portfolio for the at least one user (e.g. col 2 p 10 - 
col 3 p 1). 

1 5. Regarding claim 28-40 - 

French discloses the method as recited in claim 27, wherein receiving the selection is a 
subset of the list of supported authentication methods; further comprising: storing the 
portfolio on an authentication server capable of providing the authentication service to 
the at least one relying party; further comprising providing a selection of authentication 
methods to the at least one user; receiving at least one selected authentication method 
from the at least one user; receiving authentication information required to perform 
authentication for each of the at least one selected authentication methods; wherein the 
portfolio includes the authentication information; further comprising authenticating, by 
the authentication system, the at least one user to the at least one relying party; wherein 
authenticating the at least one user to the at least one relying party comprises providing 
a challenge to the at least one user; accepting a response to the challenge from the at 
least one user; examining the response to the challenge to ensure its authenticity; 
comparing authentication information received by the at least one user to the portfolio 
associated with the at least one user; and communicating an authentication result to the 
at least one relying party; wherein the at least one relying party is an online pharmacy 
and the at least one user is a doctor; further comprising adding a new authentication 
method to the portfolio; wherein adding the new authentication method to the portfolio 
comprises authenticating the at least one user using an authentication method already 
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in the portfolio; receiving authentication infonmation for the new authentication nfiethod; 
and storing the new authentication method and its authentication information in the 
portfolio; further comprising receiving notice of a potentially compromised authentication 
method in the portfolio; authenticating the at least one user using an authentication 
method already in the portfolio, but not using the potentially compromised authentication 
method; and revoking the authentication information for the potentially compromised 
authentication method in the portfolio associated with the at least one user further 
comprising monitoring authentication events for the at least one user; and detecting 
possible fraud for a suspect authentication method; further comprising authenticating 
the at least one user using an authentication method already in the portfolio, but not 
using the suspect authentication method; communicating the possible fraud to the at 
least one user; and upon confirmation of fraud, revoking the suspect authentication 
method in the portfolio; further comprising: automatically revoking the suspect 
authentication method in the portfolio; wherein the possible fraud is potentially serious 
fraud; and a computer-readable medium having computer-executable instructions for 
performing the method as recited in claim 27 (e.g. col 2 p 10 - col 3 p 1 , col 5 p 8 - col 
6p2). 

16. Claims 41-43 are rejected under 35 U.S.C. 102(e) as being anticipated by French 
et al (US 6,321.339). 

17. Regarding claim 41 - 

French discloses a method of authentication, comprising: requesting, by a user to a 
relying party, a protected service; sending, by the relying party, a description of the 
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request to an authorization sen/er; determining, by the authorization server, a first level 
of assurance; sending, by the authorization server to an authentication server, the first 
level of assurance; requesting, by an authentication server, authentication from the 
user; entering, by the user, authentication information into an authentication device; 
sending, by the authentication device to the authentication server, authentication 
information; verifying, by the authentication server, the authentication infonnation using 
authentication verification information stored in a portfolio in a database that is 
associated with the user; computing, by the authentication server, a second level of 
assurance; evaluating whether the second level of assurance is high enough; sending, 
by the authentication server to the authorization server, a first success message, upon 
determining the second level of assurance is high enough; verifying, by the 
authorization server, information from the authentication server; verifying, by the 
authorization sen/er, that the user is allowed to perform the protected service; sending, 
by the authorization sen/er to the relying party, a second success message, upon 
verification of the information from the authentication server and verification that the 
user is allowed to perform the protected service; and providing, by the relying party to 
the user, the protected service (e.g. col 2 p 10 - col 3 p 1 ). 
1 8. Regarding claims 42-43 - 

French discloses the method as recited in claim 41 , further comprising: requesting, by 
the authentication server to the user, authentication using at least one additional 
authentication method, upon determining the second level of assurance is not high 
enough; further comprising sending, by the authentication server to the authorization 
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server, a first failure message and a reduced level of assurance, upon detenrilning the 
user is unable to 5 authenticate using the at least one additional authentication method; 
storing, by the authorization server, the reduced level of assurance; sending, by the 
authorization server to the relying party, a second failure message; and providing, by 
the relying party to the user, a third failure message (e.g. col 5 p 8 - col 6 p 2 ), 

19. Examiner's note: Examiner has cited particular columns and line numbers in 
the references as applied to the claims above for the convenience of the applicant. 
Although the specified citations are representative of the teachings in the art and are 
applied to the specific limitations within the individual claim, other passages and figures 
may be applied as well. It is respectfully requested from the applicant, in preparing the 
responses, to fully consider the references in entirety as potentially teaching all or part 
of the claimed invention as well as the context of the passage as taught by the prior art 
or disclosed by the examiner. 

Conclusion 

20. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

21 . Elander et al US 4,500,750) discloses cryptographic application for interbank 
verification. 

22. Obashi et al (US 5,761 ,309) discloses an authentication system. 

23. Pare, Jr.. et al (US 5,870,723) discloses a tokenless biometric transaction 
authorization method and system. 
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24. Kucharczyk et al (US 6,300,873) discloses a locking mechanism for use with 
one-time access code. 

25. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Cristina Owen Sherr whose telephone number is 703- 
305-0625. The examiner can normally be reached on 8:30-5:00 Monday through 
Friday. 

26. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, James Trammel! can be reached on 703-305-9768. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

27. Infonmation regarding the status of an application may be obtained from the 
Patent Application Infomiation Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status infomnation for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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